WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: unable to access web site embeds username & password

From: "Michael Silk" <michaels () phg com au>
Date: Tue, 22 Jun 2004 14:41:46 +1000
Noah,

        By wide audience do you mean *unknown* audience ?

        I.e. you can simply set the site (your site) as a trusted site and it (IE)
        will automatically pass the login information via NTLM ... ?

        Also, I'm interested ... what system did you use to provide some security
        token that is not susceptible to attack (at least attacks which SSL protects
        agains) ?

-- Michael

-----Original Message-----
From: Noah Gray [mailto:NGray () worldrelief net]
Sent: Tuesday, 22 June 2004 12:34 PM
To: webappsec () securityfocus com
Subject: RE: unable to access web site embeds username & password


I recently worked with an organization that had used this in some specific
cases for integration purposes. It was a CMS, complete with some inflexible
ISAPI filters that had mandaded the use of the embedded basic
authentication, of course over SSL.

Just to help you resign yourself to your new fate, we searched high and low,
and found NO way to support this functionality in IE browsers for a wide
audience. In the end, we worked with each and every party to switch to a
token-based system in the querystring.

In the end, it was a great chance to rethink our how our 3rd party
authentication worked. We were able to implement a system that could be
securely implemented without SSL, which is unheard of in the URL-embedded
basic system.

Believe me when I say that this is a must-upgrade situation. You have to use
some other way to authenticate these intranet users in IE.

Regards,

Noah Gray

-----Original Message-----
From: Ivo Mencke [mailto:imencke () servecentric com]
Sent: Monday, June 21, 2004 11:03 AM
To: bysoo1 () optusnet com au
Cc: webappsec () securityfocus com
Subject: Re: unable to access web site embeds username & password


A security update is available that modifies the default behavior of
Internet Explorer for handling user information in HTTP and in HTTPS
URLs

http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;834489

SUMMARY
A security update is available that removes support for handling user
names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or
HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is
no longer supported in Internet Explorer or in Windows Explorer after
you install the MS04-004 Cumulative Security Update for Internet
Explorer (832894): 

http(s)://username:password@server/resource.ext

i would say, use another browser ....

On Thu, 2004-06-17 at 12:31, OPTUSBYS wrote:

Dear all,

I have discovered if I access my intranet that embeds the username and
password, it will not work on workstations have the latest Microsoft
security patches installed.

http://username:password@webserver/website


Does anyone have a solution to this because I still don't know which
security patch that inhibits the access. 

On the other hand, I don't really want to leave my workstations

unprotected

too.


Thanks for your contribution.

Much appreciated.


Regards,
Seeker.








This email message and accompanying data may contain information that is confidential and/or subject to legal 
privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying 
of this message or data is prohibited. If you have received this email message in error, please notify us immediately 
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any information contained herein for contractual or 
legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by 
authorised persons.
Previous By Date Next
Previous By Thread Next

Current thread: